Whenever I hear/read lots of words about how secure something is and how strong their commitment to security I think “they don’t know what they don’t know”.
We should all admit that we don't know what we don't know. But the default behavior afterwards should be to assume that the software/system is insecure, fixing the defects we can find and surrounding in by rings of moats (defense-in-depth). When you don't know what you don't know and then declare it to be secure, there's an extra layer of indirection and perhaps a bit of hubris.